Skip to content

Usage

droid is able to:

  • Validate the content of the rules
  • Convert the Sigma rules
  • Perform ad-hoc search on the platform and report for findings
  • Export (deploy) the rules
  • Check the integrity of the rules on platforms
Note

droid is a command line tool using subcommands.

  • Commands are grouped under droid rules or droid sources
  • Make sure to specify the droid configuration file using -c
  • You can select a directory (this will load all the rules within sub-directories) or a single rule
  • You can generate a JSON logging file using -j (global option, placed before the subcommand)
  • Debug mode is enabled with -d or --debug (global option, placed before the subcommand)

Validate

Note

This requires a validation configuration, see here.

droid rules validate \
--rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml \
--config-file droid_config.toml

Convert

droid rules convert \
--rules rules/sigma/ \
--config-file droid_config.toml \
--platform splunk

With debug output:

droid --debug rules convert \
--rules rules/sigma/ \
--config-file droid_config.toml \
--platform splunk
Info

If you want to use the Sigma filters, you can store your filters in a directory and use the sigma_filters_directory parameter. See the configuration.

Note

This features works only with the supported platforms.

Info

droid will report for findings as per the configured search timerange in your configuration. If there is any hit, it will raise a warning but not an error exit-code.

droid rules search \
--rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml \
--config-file droid_config.toml \
--platform microsoft_sentinel

You can use the search feature to use Microsoft XDR converted rules with Microsoft Sentinel as a search head. This will use your Microsoft Sentinel setup to search. It's also compatible with the --mssp mode.

droid rules search \
--rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml \
--config-file droid_config.toml \
--platform microsoft_xdr \
--sentinel-xdr

MSSP

Currently the MSSP mode is available for Microsoft Sentinel and Microsoft XDR.

droid rules search \
--rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml \
--config-file droid_config.toml \
--platform microsoft_sentinel \
--mssp

When using the MSSP mode, you have the ability to apply specific filters for designated customers. By adding customer_name and customers_filters_directory in the TOML configuration in platforms.<platform>.export_list_mssp.CustomerName, droid will add the default filters directory from base AND the Sigma filters in customer_filters_directory.

Example:

            [platforms.microsoft_xdr.export_list_mssp.Zoidberg]

            tenant_id = "122d2a69-c233-4824-a009-a431d839d799"
            customer_name = "Zoidberg"
            customer_filters_directory = "filters/zoidberg/"

Test using Atomic Red Team

Example

This feature is under development, stay tuned!

Export

Info

If you have set one or multiple rule with any of the custom field disabled or removed as True, droid will make sure it is set as disabled or remove the detection rule if it exists on the platform.

droid --debug rules export \
--rules rules/rules/sigma/ \
--config-file droid_config.toml \
--platform splunk

Integrity

Info

This feature verify if the id, description and rule search match the platform's saved search.

droid --debug rules integrity \
--rules rules/rules/sigma/ \
--config-file droid_config.toml \
--platform splunk